02-04-2021 , 11:46 PM
Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in Distributed Denial of Service (DDoS) attacks.
Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more.
Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers' targets.
This junk traffic reflected onto victims' servers is sourced from Simple Service Discovery Protocol (SSDP) probes sent by Plex through the G’Day Mate (GDM) protocol for local network service discovery.
In January, Baidu Security Lab also reported observing DDoS attacks using Plex as an amplification vector.
According to a subsequent report from ZoomEye, not all Plex Media Server versions can be abused by attackers.
"After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21, so it can be inferred that version 1.21 of Plex released in late January this year has fixed this problem (although no relevant information has been seen in the plex official Security bulletin)," ZoomEye said.
Abused in single and multi-vector DDoS attacks
Attacks abusing this UDP reflection/amplification attack vector by targeting PMSSDP reflectors/amplifiers on the UDP/32414 port have an amplification ratio of ~4.68:1 and peak at ~3 Gbps.
However, as Netscout said, "multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps."
Attackers can exploit roughly 27,000 exposed devices running Plex Media Server to amplify and reflect DDoS traffic onto their targets systems.
"It should be noted that a single-vector PMSSDP reflection/amplification attack of ~2 Gbps – ~3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services," Netscout added.
"The incidence of both single-vector and multi-/omni-vector reflection/amplification attacks leveraging PMSSDP has increased significantly since November of 2020, indicating its perceived utility to attackers."
As it regularly happens with newer DDoS attack vectors, PMSSDP has also been weaponized and is now actively used by booter/stresser DDoS-for-hire services.
These platforms are regularly used by pranksters or threat actors without the skills or time to invest in establishing their own DDoS attack infrastructure.
Booters' services are rented to launch large-scale DDoS attacks targeting servers or sites to trigger a denial of service that usually brings them down or disrupts online services.
Source
Plex Media Server provides users with a streaming system compatible with the Windows, macOS, Linux, and FreeBSD platforms, as well as network-attached storage (NAS) devices, Docker containers, and more.
Netscout says that amplified PMSSDP DDoS attacks observed since November 2020 have been abusing UDP/32414 SSDP HTTP/U responses from exposed broadband Internet access routers and redirected towards attackers' targets.
This junk traffic reflected onto victims' servers is sourced from Simple Service Discovery Protocol (SSDP) probes sent by Plex through the G’Day Mate (GDM) protocol for local network service discovery.
In January, Baidu Security Lab also reported observing DDoS attacks using Plex as an amplification vector.
According to a subsequent report from ZoomEye, not all Plex Media Server versions can be abused by attackers.
"After testing by Baidu Lab researchers, it was found that the version of Plex used to attack was less than version 1.21, so it can be inferred that version 1.21 of Plex released in late January this year has fixed this problem (although no relevant information has been seen in the plex official Security bulletin)," ZoomEye said.
Abused in single and multi-vector DDoS attacks
Attacks abusing this UDP reflection/amplification attack vector by targeting PMSSDP reflectors/amplifiers on the UDP/32414 port have an amplification ratio of ~4.68:1 and peak at ~3 Gbps.
However, as Netscout said, "multi-vector (2–10 vectors) and omni-vector (11 or more vectors) attacks incorporating PMSSDP range from the low tens of Gbps up to 218 Gbps."
Attackers can exploit roughly 27,000 exposed devices running Plex Media Server to amplify and reflect DDoS traffic onto their targets systems.
"It should be noted that a single-vector PMSSDP reflection/amplification attack of ~2 Gbps – ~3 Gbps in size is often sufficient to have a significant negative impact on the availability of targeted networks/servers/services," Netscout added.
"The incidence of both single-vector and multi-/omni-vector reflection/amplification attacks leveraging PMSSDP has increased significantly since November of 2020, indicating its perceived utility to attackers."
As it regularly happens with newer DDoS attack vectors, PMSSDP has also been weaponized and is now actively used by booter/stresser DDoS-for-hire services.
These platforms are regularly used by pranksters or threat actors without the skills or time to invest in establishing their own DDoS attack infrastructure.
Booters' services are rented to launch large-scale DDoS attacks targeting servers or sites to trigger a denial of service that usually brings them down or disrupts online services.
Source